Topics

Capture Network Traffic With TCPDUMP

What is tcpdump?

In the manpage the entry sentence of the description describes it in good words “… Tcpdump prints out a description of the contents of packets on a network interface…”It will help you to capture each network in-going and out-going packet on your interface and display it directly on your command line or save it to a file for further analysis with Wireshark.

Tcpdump command allows you to set a “capture filter” to be able to save only packets which are interested for you.
You want to get a first feeling about capture filter, refer to Introduction to Wireshark – Part 2.

How can I capture network traffic with tcpdump?

First of all you need tcpdump installed on your Linux instance if not already available.
You can install tcpdump with the command (requirement root permissions): yum install tcpdump

After the installation you should be able to find tcpdump at following location: /usr/sbin/tcpdump

There are now two ways to capture network traffic:

Capture network traffic and show it directly on the command line
Use the following command to show your network traffic for interface eth0: /usr/sbin/tcpdump -i eth0 -vvv

Capture network traffic and save it to a fileUse the following command to save your network traffic for interface eth0 to a file called tcpdump.pcap in folder /tmp/: /usr/sbin/tcpdump -i eth0 -w /tmp/tcpdump.pcap

There is an additional option you can set which is important to know: “-s” bytes of data from each packet.If you don’t specify the -s option it will capture the default size (262144 bytes). Sometimes to save file space you can choose to capture only the first bytes of a packet.

Other examples to capture network traffic:

Use the following command to save your network traffic for interface eth0 to a file called tcpdump.pcap in folder /tmp/ and capture only packets related to IP address 10.1.2.3: /usr/sbin/tcpdump -i eth0 -w /tmp/tcpdump.pcap host 10.1.2.3

Script

Summary

I already mentioned it on my other pages:
Daily (even hourly) I use sentences like “let’s take a tcpdump…” or “I think the best way to start attacking that problem is with a tcpdump…“.
It has been very helpful in my career and usually it always leads to the right path of the problem.